Early Exit In Rule Evaluations With http.send

[briancullen]

I'm new to OPA and am just trying to get some idea of what the performance of the system would be like if we were to use it. One issue I hit was that the early exit on evaluation is not exactly working as I thought it would. As a concrete (but simple example) I have written a policy that takes in information about a http request including an access token. Permission should be allowed in two situations.

1. If the subject id of the token matches the user id on the path (this can be done without external data).
2. If the user associated with the token has admin privileges (this requires external data and a http call is used).

I assumed that as these are complete document rules that once the first rule matches the second rule either wouldn't be evaluated or the call would be cancelled/ignored. Either way I did not expect OPA to wait until the http call has completed which is what currently appears to be happening.

Am I doing something wrong here or is this expected behaviour? Again I'm only experimenting at this stage so is there a better way structure the policies (shown below) that I'm using?

package service

default allow := false

allow {
  input.token
  data.common.user.userOwnsToken(input.token, input.pathParameters.userId[0])
}

allow {
  input.token
  userData := data.common.user.getUserData
  userData.userRoles[_] == "admin"
}

package common.user

userOwnsToken(token, userId) {
  decodedToken := io.jwt.decode(token)
  decodedToken[1].sub == userId
}

getUserData := userData {
  decodedToken := io.jwt.decode(input.token)
  response := http.send({
  "method": "get",
  "url": concat("/", ["http://localhost:8080/v1/users", decodedToken[1].sub]),
  "headers": {
    "Authorization": concat(" ", ["Bearer", input.token])
  } })
  userData := response.body
}

[anderseknert]

Hi Brian! 👋

I assumed that as these are complete document rules that once the first rule matches the second rule either wouldn't be evaluated or the call would be cancelled/ignored.

There isn't really a first rule, as OPA may evaluate rules in any order. I you need to control the order of evaluation, you'd commonly use else for that purpose:

allow {
  input.token
  data.common.user.userOwnsToken(input.token, input.pathParameters.userId[0])
} else {
  input.token
  userData := data.common.user.getUserData
  userData.userRoles[_] == "admin"
}

Perhaps you'll find my blog on the details of expressing OR in Rego, and control flow in general, useful.

[briancullen]

Thank you Anders. I have tried what you suggested and it works.

I did realise that wasn't an order but thought it might cancel the other operation once it had a result. On a related note, if you don't mind a quick follow up question, how much of the function calls are cached within the scope of a policy evaluation. I have noticed that http.send seems to be cached within a single evaluation but in the above examples I call jwt.decode more than once and I was wondering if did the operation each time or if it cached the result?

[anderseknert]

Yeah, AFAIK calling a built-in twice or more provided the same input would only evaluate it once, then serve the cached result. Same for rules.